Industry View

VoIP Security: The Basics

Yes, voice-over-IP threats exist, including some new wrinkles. With care, Sonus Networks' Bob Bradley says you can mitigate risks to your networks.

By Bob Bradley, Sonus Networks

Page 2

The Solution:
To mitigate this risk within the local network and maintain call privacy, virtual LANs (VLANs) can be used to segregate traffic and/or encrypt media streams to the enterprise edge. Many SIP-based endpoints such as an integrated access device (IAD) or an IP PBX support "built-in" encryption of signaling (TLS - Transport Layer Security or IPSec) and media (Secure RTP) can also address this possible vulnerability.

Threat #3: Lack of hardening VOIP elements by vendors
Many of the elements in an enterprise VOIP network (IP PBXs, feature servers, interactive voice response (IVR), voicemail systems, provisioning systems, SIP proxies, smart phones, etc) use commodity operating systems such as Windows, Solaris, and Linux and, as such, are subject to O/S specific vulnerabilities such as viruses and malware.

The Solution:
All elements in an enterprise VOIP network must be properly hardened and customers should demand vendor verification of the hardening prior to purchase. This is a "best practice" well understood in the data world and is equally applicable when adding IP based voice elements to the mix. It's a little more work on the customer's side but well worth the effort and peace of mind in the long run.

Threat #4: Follow Systems operation "best practices"
A recent Internet search of one IP PBX vendor which was directly connected to the Internet revealed a number of systems that could be logged into because the default passwords were not changed. This can have unnecessary consequences for the IP-network.

The Solution:
This is a simple threat that can be easily avoided by taking the time upfront to change factory default passwords when new systems are installed. And, as mentioned earlier, any VoIP element based on commodity operating systems must be hardened, unnecessary services disabled and unused ports closed. Additionally, it is imperative to perform security related event logging for auditing purposes and traceability to ensure ongoing network integrity. Once again, common sense should prevail and this process won't break the bank to execute on.

Threat #5: Vhishing and SPIT and unwanted calls, oh my!!
Just like unwanted email vis-à-vis SPAM, it is easy for a hacker to set up multiple systems or "bots" to blast calls to a VoIP phone with ease. This phenomenon is known as SPITing ⬠spam over internet telephony. Additionally, hackers can also use the tactic of vhishing as an attempt to "spoof" end users into surrendering personal information such as credit card numbers, bank accounts, social security numbers, etc., under the guise of needing this info for a legitimate reason.

voip security

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors